This invention relates to a secure computing environment within a standalone host computer on a virtual private network.
A computing environment is a collection of processes that can interact with each other and access each other""s resources without going through a gatekeeper. A gatekeeper is an entity or device that controls the flow of information through it according to some specific policy. A xe2x80x9cfirewallxe2x80x9d is an example of a gatekeeper.
A virtual private network (VPN) is a logical overlay of a private network on top of another public network. Broadly speaking, there are two types of virtual private networks. The first type of virtual private network operates between two or more private networks. An example of this first type is a virtual private network that connects a branch office network to a corporate headquarters network. This type of virtual private network is known as a network-to-network virtual private network. A second type of virtual private network connects a host computer to a private network. An example of this second type is a virtual private network that connects a telecommuter""s home computer to his employer""s corporate network. The second type of network is known as a host-to-network virtual private network.
Currently, virtual private networks of both types employ cryptographic security measures in the communications link between the remote network or host and the other network. For virtual private networks of the first type, this is typically sufficient in order to ensure a secure virtual private network because each of the networks connected by the virtual private network forms a computing environment that is secured by means of one or more restrictive gatekeepers. That is,
A host in each of the private networks is placed behind a firewall, which provides a first level of defense against hackers in a public network.
A host inside a private network may be professionally monitored by a security staff, and such a staff may be trained to recognize and remedy security breaks.
A host within a private network may also be subject to restrictions regarding modifications and/or additions to the software on the host.
A host within a private network may also be subject to restrictions regarding the people who are able to access the host. At a minimum, physical security measures maintained by the organization will restrict the universe of possible users to persons who have access to the building in which the host is located.
In the case of a host-to-network virtual private network, extra measures are required because none of the above-mentioned restrictions are found in a typical host, such as a PC at the home of an employee. Moreover, while the host connects to a private network and becomes part of the host-to-network virtual private network, it continues to exist in an insecure environment through direct links to the Internet. Consequently, such a hostxe2x80x94being a part of and within the virtual private networkxe2x80x94potentially exposes the to entire private network to an attack that bypasses the firewall or other gatekeepers.
Another danger is that a host that is connected to a private network may also be connected to another private network at the same time, allowing that host computer to concurrently belong to both private networks. Clearly, this is not a desirable situation, particularly if the two networks belong to competing organizations.
The general problem of protecting a computing environment is obviously not new. Multiple protection mechanisms have been proposed in the past based on programming languages, operating system constructs, security protocols, and so on. Most of this work concerns protecting two peer environments from each other. More recently, there has been a great deal of interest in sandboxing in which a secure computing environment is protected against imported elements.
Other work includes protection of mobile code, which is code that roams a network independently. A problem with mobile code involves ensuring the security of the mobile code as it executes on untrusted network elements. A number of solutions have been proposed to ensure security. These include: cryptographic mechanisms that encrypt computation, redundant computation using fault-tolerance mechanisms, and logging. These techniques are well suited to mobile code applications where there can be no trust placed in the remote environment. However, they are unduly costly and restrictive in cases where a remote environment can be trusted to some extent, e.g., when the remote environment is an employee""s home computer.
The work on electronic intellectual property protection, also utilizes some similar mechanisms. For example, The InterTrust DigiBox architecture described in A Self-Protecting Container For Electronic Commerce, In Proceedings of First USENIX Electronic Commerce Workshop, by Sibert et al., July 1995, is a system that securely exports electronic information to prevent misuse of the information. The work on electronic copy protection is focused on securely exporting passive documents.
A number of systems have proposed using wrappers to protect applications. The StrongBox system, described by B. S. Yee in xe2x80x9cA Sanctuary for Mobile Agents,xe2x80x9d Technical Report CS97-537, University of California at San Diego, La Jolla, Calif., April 1997, represents an early approach that focuses on the security of client-server systems in which both the client and server might be running on untrusted machines. More recently, a system that uses software wrappers to secure off-the-shelf applications running in unsafe environments is described in Hardening COTS Software with Generic Software Wrappers, by Fraser et al., in Proceedings of the 1999 IEEE Symposium on Security and Privacy, May 1999. This work, however, is targeted at the problem of xe2x80x9chardeningxe2x80x9d individual applications and not on securing whole environments.
Finally, there has been a lot of work on secure operating systems. The earliest related work is the classic report by James Anderson in 1972 in Technical Report ESD-TR-73-51, Electronics Systems Division entitled Computer Security Technology Planning Study that introduced reference monitors. Reference monitors ensure that all access to system resources are authorized and can be implemented in software and/or hardware. Other secure operating systems include: SCOMP: A Solution to the Multilevel Security Problem, by Fraim, in Computer 16(7):26-34, 1983; LOCK Trek: Navigating Unchartered Space, by Saydjar:, et al. in Proceedings of the 1989 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 167-175, VAX VMM described in A Retrospective on VAX VMM Security Kernel, by Karger et al., In IEEE Transactions on Software Engineering 17(11): 1147-1165, 1991; and Trusted Mach described in Access Mediation in a Message Passing Kernel, by Branstad et al., In Proceedings of the IEEE Computer Society Symposium on Security and Privacy, pp. 66-72, 1989. The SCOMP and LOCK architectures use a separate security processor for reference validation. The VAX VMM system uses virtual machines that are described in Survey of Virtual Machine Research, by Golderg, IEEE Computer Magazine 7(a): 34-45, June 1974, to provide multilevel security and access control. Lastly, the Trusted Mach kernel enforces Bell-LaPadula security that is described in Secure Computer System: Unified Exposition and Multics Interpretation, by Bell et al., Technical Report MTR-2997 Rev. 1 AD A023 588, The Mitre Corp., 1976 using a kernel and trusted servers.
It will be readily apparent from the above, that a need exists in the art for providing additional security to a standalone host. This need is satisfied, and an advance in the art is achieved, with an arrangement that creates a secure computing environment in a host computer. The created xe2x80x9creverse sandboxxe2x80x9d computing environment is considered a safe area that is protected from attacks originating outside the safe area. The reverse sandbox technique extends a private computing environment such as a private network into a public environment such as a standalone PC accessible by everyone. Reverse sandboxing is effectively an approach for exporting protected environments in a way that guarantees that the environment is not accessed in an unauthorized manner.
An implementation of reverse sandboxing in accordance with this invention provides confidentiality and integrity but not availability. It assumes a host with clean hardware and a trusted boot sequence that verifies the host""s operating system. In such an implementation, a telecommuter, for example, can run any work-related application within a reverse sandboxed environment without compromising security, and can concurrently use the host for other private purposes such as surfing the web or reading personal email.
An illustrative embodiment of a reverse sandboxing architecture in accordance with this invention is policy-driven, which allows administrators to easily tailor the behavior of the reverse sandbox to match specific needs. It also allows legacy applications to be run unmodified without compromising the execution of the legacy applications.